Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MDM: From Nice to Have to Necessity

Jamf
November 13, 2019
130

MDM: From Nice to Have to Necessity

Jamf

November 13, 2019
Tweet

Transcript

  1. © JAMF Software, LLC
    MDM: From ‘Nice to Have’
    to Necessity

    2:45 - 3:30 PM
    UP NEXT

    View full-size slide

  2. Rich Trouton
    • 20 years of Mac system
    support experience

    • Generally can be found
    drinking a Diet Coke

    • Has been known to write
    things down

    • @rtrouton on Twitter and Slack

    View full-size slide

  3. MDM:
    From "Nice to Have"
    To Necessity

    View full-size slide

  4. What is MDM?

    View full-size slide

  5. • API for sending device
    management commands
    • For iOS, usable on iOS 4.x and
    later.
    • For macOS, usable on 10.7.x
    and later.
    • For tvOS, usable on tvOS 10.x
    and later.
    • Not all MDM commands
    are backwards-compatible

    View full-size slide

  6. Which things are only
    possible when using MDM?
    • DEP-enabled setup
    • Remote wipe
    • App distribution using VPP
    • UAMDM-based management

    View full-size slide

  7. How does MDM
    management work?
    • Apple's push notification
    services (APNS)
    • Mobile device management
    (MDM) server

    View full-size slide


  8. http://init-p01st.push.apple.com/bag

    View full-size slide

  9. https://support.apple.com/HT203609

    View full-size slide

  10. • APNS never needs an inbound network
    connection on your network.
    • Only outbound connections from your
    network to Apple’s network (17.0.0.0 / 8)
    are needed for APNS.
    • APNS never makes unsolicited
    connections.
    • APNS uses TLS 1.2
    • APNS authenticates all transactions
    with device tokens and payload tokens,
    and validates all SSL certificates.

    View full-size slide

  11. https://twocanoes.com/products/mac/push-diagnostics/

    View full-size slide

  12. https://twocanoes.com/products/mac/push-diagnostics/

    View full-size slide

  13. https://www.youtube.com/watch?v=Z-Lg9uBbmfk
    A Push Odyssey:
    Journey to the Center of APNS:

    View full-size slide

  14. What’s an MDM server?
    1. HTTPS server
    2. Needs to be able to
    respond with both of the
    following:
    • HTTP 200 OK
    • A plist in XML format
    which contains a
    command.

    View full-size slide

  15. Perpetual plist passing

    View full-size slide

  16. Perpetual plist passing

    View full-size slide

  17. MDM Server Certificates
    • APNS Vendor Certificate
    • APNS Push Certificate

    View full-size slide

  18. MDM Server Certificates
    • APNS Vendor Certificate
    • Used to sign APNS push
    certificate’s certificate
    requests (CSRs)

    View full-size slide

  19. MDM Server Certificates
    • APNS Push Certificate
    • Used by MDM server to
    communicate with APNS

    View full-size slide

  20. https://identity.apple.com

    View full-size slide

  21. https://identity.apple.com

    View full-size slide

  22. APNS Apple ID Do’s and Don’ts
    Do:
    •Have an Apple ID dedicated just to
    creating your APNS certificate.
    •Have multiple Apple IDs for your
    APNS certificates if you have more
    than one MDM server .
    •Have the Apple ID(s) documented.

    View full-size slide

  23. APNS Apple ID Do’s and Don’ts
    Don’t:
    •Use a personal Apple ID.
    •Use an Apple ID tied to your
    specific work email address.
    •Lose the password to your Apple
    ID(s).

    View full-size slide

  24. APNS push certificate

    View full-size slide

  25. APNS push certificate topic

    View full-size slide

  26. APNS device token

    View full-size slide


  27. APNS
    Topic Topic

    View full-size slide


  28. APNS
    Topic + Device ID =

    View full-size slide

  29. =
    "Hey you! Check in with your
    MDM server!”

    View full-size slide

  30. OS X Mavericks
    Kernel extensions should be digitally signed using an Apple
    Developer ID for Signing Kexts certificate, but this code
    signing requirement is not enforced strictly. Unsigned kernel
    extensions can still be installed into /System/Library/
    Extensions, which is where kernel extensions have been
    installed up until OS X Mavericks. However, signed kernel
    extensions must be installed into /Library/Extensions.

    OS X Yosemite
    Kernel extensions must be digitally signed using an Apple
    Developer ID for Signing Kexts certificate and installed
    into /Library/Extensions. However, it is still possible on OS X
    Yosemite to enable a kernel extension developer mode which
    disables the code signing requirement.

    View full-size slide

  31. OS X El Capitan
    Kernel extensions must be digitally signed using an Apple
    Developer ID for Signing Kexts certificate and installed
    into /Library/Extensions. System Integrity Protection,
    introduced as part of OS X El Capitan, now enforces code
    signing and explicitly disables the kernel extension developer
    mode previously available in OS X Yosemite.

    macOS Sierra
    Kernel extensions must be digitally signed using an Apple
    Developer ID for Signing Kexts certificate and installed
    into /Library/Extensions. System Integrity Protection
    remains the enforcement mechanism.

    View full-size slide

  32. https://support.apple.com/HT207828

    View full-size slide

  33. MDM
    macOS 10.13.0 - 10.13.3

    View full-size slide

  34. macOS High Sierra 10.13.0 - 10.13.3 + MDM
    Kernel extensions must be digitally signed using an
    Apple Developer ID for Signing Kexts certificate
    and installed into /Library/Extensions. System
    Integrity Protection remains the enforcement
    mechanism.

    View full-size slide

  35. UAMDM
    macOS 10.13.4 - Now

    View full-size slide

  36. Device Enrollment Program
    (DEP)

    View full-size slide

  37. =
    UAMDM
    automatically enabled

    View full-size slide

  38. Volume Purchase Program
    (VPP)

    View full-size slide

  39. Managed Clients for Mac OS X

    View full-size slide

  40. Managed Clients for Mac OS X
    Managed User Control
    None, Never Unmanaged or never set
    User has full control of
    setting
    Once
    Preset with value from
    MCX
    User has full control of
    setting
    Often
    Reset with value from
    MCX at each login
    User has full control of
    setting, resets back to
    MCX-enforced setting at
    logout
    Always Forced from MCX
    User cannot control
    setting

    View full-size slide

  41. Mobile Device Management
    Managed User Control
    None, Never Unmanaged or never set
    User has full control of
    setting
    Once
    Preset with value from
    MCX
    User has full control of
    setting
    Often
    Reset with value from
    MCX at each login
    User has full control of
    setting, resets back to
    MCX-enforced setting at
    logout
    Always Forced from MCX
    User cannot control
    setting

    View full-size slide

  42. MDM ≠ Total Management
    MCX ≠ Total Management

    View full-size slide

  43. MDM ≠ Total Management
    Profile Can Do: Profile Cannot Do:
    SSH Nothing
    Turn SSH on and off
    Manage SSH configuration
    Sudo Nothing
    Manage access to the
    sudo tool
    Firewall
    Turn firewall on and off
    Enable stealth mode
    Block incoming connections
    Allow or block applications from
    connecting
    Set IP- or DNS-based
    firewall rules
    Application Access
    Whitelist application by
    code signature
    Blacklist application by
    code signature
    Directory Service Bind to Active Directory Bind to LDAP*
    *Can bind to Apple's
    Open Directory

    View full-size slide

  44. AppleScript
    Ruby
    JavaScript
    Perl
    Shell
    Python

    View full-size slide

  45. Script Can Do:
    SSH
    Turn SSH on and off
    Manage SSH configuration
    Sudo Manage access to the sudo tool
    Firewall
    Turn firewall on and off
    Enable stealth mode
    Block incoming connections
    Allow or block applications from connecting
    Set IP- or DNS-based firewall rules
    Directory Service
    Bind to Active Directory
    Bind to LDAP

    View full-size slide

  46. https://github.com/google/santa

    View full-size slide

  47. https://developer.apple.com/documentation/
    devicemanagement/profile-specific_payload_keys

    View full-size slide

  48. https://derflounder.wordpress.com/2015/07/31/
    gatekeeper-automatically-re-enables-after-30-days-
    on-yosemite-and-later/

    View full-size slide

  49. defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool false

    View full-size slide

  50. https://openradar.appspot.com/22094327

    View full-size slide

  51. Always Manage Manage Once

    View full-size slide

  52. Re-test for each OS

    View full-size slide

  53. vs
    1. See if you can use a profile.
    2. If not, use a script.
    3. Check back later to see if you
    can use a profile.

    View full-size slide

  54. Apple Mobile Device Management: https://
    developer.apple.com/documentation/devicemanagement
    Apple Device Management documentation: https://
    developer.apple.com/documentation/devicemanagement
    A Push Odyssey - Journey to the Center of APNS: https://
    www.youtube.com/watch?v=Z-Lg9uBbmfk
    Getting MicroMDM working and working with MicroMDM:
    https://youtube.com/watch?v=WGKT-PyHz6I
    Useful Links
    Demystifying MDM: open source endeavours to manage
    Macs: https://youtube.com/watch?v=6DBGIDcBKFw

    View full-size slide

  55. Apple Mobile Device Management Profile-Specific Payload
    Keys: https://developer.apple.com/documentation/
    devicemanagement/profile-specific_payload_keys
    Santa: https://github.com/google/santa
    Gatekeeper automatically re-enables after 30 days on
    Yosemite and later: https://derflounder.wordpress.com/
    2015/07/31/gatekeeper-automatically-re-enables-after-30-
    days-on-yosemite-and-later/
    Useful Links

    View full-size slide

  56. Downloads
    PDF available from the following link:
    https://tinyurl.com/JNUC2019PDF
    Keynote slides available from the
    following link:
    https://tinyurl.com/JNUC2019Keynote

    View full-size slide

  57. © JAMF Software, LLC
    Thank you for
    Give us feedback by
    completing the 2-
    question session
    UP NEXT
    Offboarding in a Modern Workflow
    4:00 PM

    View full-size slide